[THEGrid] AuthZ handling in an example LCG experiment [Fwd: AuthZ proposals for SC4]

Alan Sill Alan.Sill at ttu.edu
Tue Nov 1 09:33:07 CST 2005 

SURAGrid colleagues,

Collected form another list, here as background information for  
discussion are a set of slides and links to other information about  
AuthZ handling and attribute-based mapping of users to accounts based  
on groups and roles from one of the large US + EGEE LCG efforts  
(ATLAS and USATLAS in this case).  The background is that user  
virtual organization membership based on VOMS as an authorization  
database is supplemented by groups and roles (using VOMRS as in the  
example we have brought up for TIGRE), allowing a site to run  
software that makes the decision regarding what local account and  
group to assign to a user who comes in with these attributes declared  
and asserted.  (Note that the European and US efforts currently use  
different sets of local on-site software to implement the local  
mapping: European efforts tend to use site software based on the  
VOBOX or G-PBox methods, and US sites within OSG currently use GUMS  
at the site level plus PRIMA on the gatekeeper to implement the  
account mapping; but both logically do the same thing.)

The "backup slides" in the talk linked by Allessandro are also worth  
studying.

There are other starting points for AuthZ and attribute-based  
authorization and account mapping, but this is a good set of links to  
start from.

Looking forward to tomorrow's SURAGrid AuthZ discussion and to  
progress towards SC2005 and beyond!

Alan

Begin forwarded message:

> On Wed, 19 Oct 2005, Carcassi, Gabriele wrote:
>
> ... The system I have described is _in
> production_ ... : It's what we already
> told the USATLAS users to use.
> For example: this is a demo/tutorial for the user:
>
> http://www.usatlas.bnl.gov/twiki/bin/view/UserGRID/HowToUSATLASRoles.
>
> At the bottom, it has the list of group/roles we currently support.
> As for all ATLAS, Alessandro DeSalvo did a very good job in collecting
> all the requirements. He presented them in various occasions,  
> including
> the AuthZ workshop. He'll be able to tell you better which set of  
> slides
> is the most up to date.
>

The most updated slides are the ones I presented in the BS group:

http://agenda.cern.ch/askArchive.php? 
base=agenda&categ=a056346&id=a056346s1t0%2Ftransparencies% 
2FVOMS_ATLAS_bswg-20051030.ppt

Cheers,

     Alessandro

>
>> I would like to see VOMS gridmap
>> and groupmap configurations for each experiment, such that we can
>>
> discuss
>
>> if they actually can be implemented in the short term...
>>
> In OSG we use PRIMA+GUMS (used typically by a "big" site) or mkgridmap
> (for a "small site). These are the instructions we give USATLAS on how
> they should be configured:
> http://osg.ivdgl.org/twiki/bin/view/Provisioning/AtlasPrivilege
>
> For a more detailed description on how things are implemented at
> Brookhaven, you can look at:
> http://www.usatlas.bnl.gov/twiki/bin/view/LocalAdmin/BnlGumsAndAtlasVo


Alan Sill
TIGRE Senior Scientist
High Performance Computing Center
TTU

====================================================================
:  Alan Sill, Texas Tech University  Office: Admin 233, MS 4-1167  :
:  e-mail: Alan.Sill at ttu.edu   ph. 806-742-4350  fax 806-742-4358  :
====================================================================

More information about the THEGrid mailing list